A method for securing an IT (information technology) system using a set of methods for knowledge extraction, event detection, risk estimation and explanation for ranking cyber-alerts which includes a method to explain the relationship (or an attack pathway) from an entity (user or host) and an event context to another entity (a high-value resource) and an event context (attack or service failure).
Legal claims defining the scope of protection, as filed with the USPTO.
1. A computer-implemented method of protecting a cyber system, the method comprising: modeling the cyber system as a heterogenous network of nodes using a tripartite user-host-application graph comprising a user-host sub-graph and a host-application sub-graph; transforming the tripartite user-host-application graph into a tabular representation that preserves topological properties of the nodes, wherein each of the nodes from the tripartite user-host-application graph comprise a point in multidimensional vector space within the tabular representation; analyzing user traffic within the cyber system based on the tabular representation to identify one or more anomalies within the cyber system; and generating at least one modification to the cyber system to restrict activity within the cyber system based on the identified anomalies and the modeling.
2. The method of claim 1 , wherein the tripartite user-host-application graph comprises a hierarchical aggregation of information, from high-resolution, narrower context to coarser-resolution, broader context.
3. The method of claim 1 , wherein at least one of the anomalies comprises an abstract event or a kill-chain event.
4. The method of claim 1 , further comprising: performing a graph-walk based on the tripartite user-host-application graph.
5. The method of claim 1 , wherein at least one of the anomalies comprises a graph-walk problem indicative of a lateral attack.
6. The method of claim 1 , wherein the analyzing the user traffic uses a Long-Short Term Memory (LSTM) neural network to ascertain the anomalies.
7. The method of claim 6 , wherein the LSTM neural network comprises an attention layer and a dense network layer.
8. The method of claim 1 , further comprising: calculating respective specificity scores for the identified anomalies indicative of relative importance of the nodes associated with each the respective anomalies; and wherein the generating the modification is further based on the specificity scores.
9. The method of claim 1 , further comprising: calculating coherence scores for the identified anomalies indicative of relative tightness of nodes associated with each of the respective anomalies; and wherein the generating the modification is further based on the coherence scores.
10. The method of claim 1 , further comprising: calculating reachability scores for the identified anomalies indicative of relative numbers of nodes accessible by each of the respective anomalies; and wherein the generating the modification is further based on the reachability scores.
11. The method of claim 10 , wherein the generating the modification comprises inputting the reachability scores into a greedy algorithm.
12. The method of claim 11 , wherein the greedy algorithm outputs respective scopes of restriction for the anomalies based on the reachability scores.
13. A system comprising a series of circuitry that implements a cyber security feature, the cyber security feature configured to: model an associated cyber system as a heterogenous network of nodes using a tripartite user-host-application graph comprising a user-host sub-graph and a host-application sub-graph; transform the tripartite user-host-application graph into a tabular representation that preserves topological properties of the nodes, wherein each of the nodes from the tripartite user-host-application graph comprise a point in multidimensional vector space within the tabular representation; analyze user traffic within the cyber system based on the tabular representation to identify one or more anomalies within the cyber system; and generate at least one modification to the cyber system to restrict activity within the cyber system based on the identified anomalies and the modeling; and output the at least one modification.
14. The system of claim 13 , wherein the system is connected to the associated cyber system.
15. The system of claim 13 , wherein the cyber security feature is further configured to perform one or more graph walks between nodes of the tripartite user-host-application graph.
16. The system of claim 15 , wherein at least one of the anomalies is based on the graph walks.
17. The system of claim 13 , wherein the generating the modification is further based on specificity, coherence, or reachability scores for the anomalies.
18. The system of claim 13 , wherein the multidimensional vector space comprises a 50-dimensional vector space, a 100-dimensional vector space, or a 200-dimensional vector space.
19. The system of claim 13 , wherein: the tripartite user-host-application graph comprises multiple scales; and the cyber security feature is further configured to transform the tripartite user-host-application graph into the tabular representation by transforming the tripartite user-host-application model at each scale.
20. One or more non-transitory computer readable storage media that, when executed by one or more processors, causes the one or more processors to: model an associated cyber system as a heterogenous network of nodes using a tripartite user-host-application graph comprising a user-host sub-graph and a host-application sub-graph; transform the tripartite user-host-application graph into a tabular representation that preserves topological properties of the nodes, wherein each of the nodes from the tripartite user-host-application graph comprise a point in multidimensional vector space within the tabular representation; analyze user traffic within the cyber system based on the tabular representation to identify one or more anomalies within the cyber system; and generate at least one modification to the cyber system to restrict activity within the cyber system based on the identified anomalies and the modeling; and output the at least one modification.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
October 11, 2017
December 1, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.